Yesterday we told you that Ibrahim Balic, an expert in computer security, discovered a bug that allowed him to access information of Apple employees, of application developers, but also of normal users. The accounts of 73 Apple employees and those of 100.000 iTunes users were accessed by Balic through a vulnerability of the iAd system designed by Apple. Balic discovered the vulnerability on June 18, along with 13 others that were later sent to Apple, the security expert claiming that requests sent to Apple's servers through iAd Workbench can be easily manipulated.
It's too bad, though, that the video seemed so definitive: After showing off images of Apple's downed Dev Center and the company's official response, Balic then showed a slew of files that seemed to contain full names and email addresses. It seems pretty damning, but Balic says that he never went after the Developer Center site directly, and all that user information he highlighted came from the iAd Workbench. Two separate bugs paved the way for one very confusing video.
Based on this iAd vulnerability, Balic wrote a Python script that allowed him to collect all the data presented yesterday in a video clip, that is, the thousands of iTunes accounts and those of Apple employees. Apart from this vulnerability, Balic discovered that through an XSS type attack, the portal dedicated to developers can be exploited, he affirmed that he did not do this. Although in order to prove the vulnerabilities he obtained the data of the developers, Balic claims that they do not come from the Dev Center and that he did not take any other data from that portal, Apple stating exactly the same thing yesterday.
Throughout our conversation, Balic maintained that he was only ever trying to help Apple. When asked why he downloaded all that user data rather than simply reporting the bug, Balic says he just wanted to see how "deep" he could go. If he wanted to do ill, he says, he wouldn't have reported everything he found. For what it's worth, he also says he never attempted to reset anyone's password — the farthest he went was to email one of the addresses he had discovered and ask if it was really the person's Apple ID. Balic didn't get a response.
Despite the statements made by the developer, if he is really to blame for closing the Dev Center, then Apple could take legal measures against him and sue him for the problems caused.
